About Change Result and Accept Rules

On the Recast page in the Host Audits tab, you can create both Change Result and Accept rules. While Change Result rules modify the results of a host audit, Accept rules hide the findings instead. These rules do not modify historical scan results.

Change Result Rules

Change Result rules target audit findings that are determined by the query shown in the Criteria column on the table shown in the Host Audits tab.

Assets Affected by a Change Result Rule

To view assets affected by a change result rule:

  • To view assets affected by a change result rule via the Recast page:

    1. On the Recast page, select the Host Audits tab.

    2. In the row for the rule, select the check box for the change result rule.

    3. On the left side of the row, click the button.

      A table appears.

    4. Click the Assets tab.

      A table appears with the list of assets that meet the Criteria for that rule.

  • To view assets affected by a change result rule via the recast rule details page:

    1. Select the Assets tab in the details view of any change result rule. For more information, see Recast Rule Details.

Note:  In the Explore > Findings table you can find assets whose audit result has been modified by a change result rule. In Findings > Host Audits, use the Results Modified filter with a value of Result Changed. The Result column shows a change result icon (such as ) and a tooltip (such as Failed - Result Changed).

Example Change Result Rule

In the following example, you create a rule to address host audit findings from a HIPAA audit. Since only some assets contain Protected Health Information (PHI), the rule changes results to Passed on assets without PHI:

  • Action — Change Result

  • Category — Custom

  • Audit File — HIPAA_Security_Rule_v1.1.0.audit

  • Audit Name — Check HIPAA Security

  • Original Result — Failed

  • New Result — Passed

  • Targets — Custom

  • Target Hosts — 192.0.2.1 - 192.0.2.10

  • Expires — Never

Accept Rules

Accept rules hide findings instead of changing their results —useful when you want to keep a clean audit list with actionable items. Like Change Result rules, you can apply Accept rules to to some or all assets and set them to expire. When Accept rules expire, targeted findings reappear on the Findings table.

To view findings for an Accept rule, on the Findings table in the Host Audits tab, use the Results Modified filter with a value of Accepted.

Example Accept Rule

In the following example, you create a rule to accept host audit findings for Windows machines with disabled built-in firewalls, since your endpoint security package provides its own firewall:

  • Action — Accept

  • Category — Windows

  • Audit File — CIS_Microsoft_Windows_11_Enterprise_v3.0.0_L1.audit

  • Audit Name —Hide Windows Firewall Findings

  • Original Result — Failed

  • Targets — All

  • Expires — Never